Security Policies for Institutions of Higher Education
41
Security Policies Security Policies for Institutions of for Institutions of Higher Education Higher Education Ardoth A. Hassler, Associate VP for Ardoth A. Hassler, Associate VP for University Information Services, University Information Services, Georgetown University Georgetown University Tracy B. Mitrano, Director of IT Policy Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, and Computer Policy and Law Program, Cornell University Cornell University
description
Security Policies for Institutions of Higher Education. Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, Cornell University. Abstract. - PowerPoint PPT Presentation
Transcript of Security Policies for Institutions of Higher Education
Security Policies for Security Policies for Institutions of Higher Institutions of Higher
EducationEducation
Ardoth A. Hassler, Associate VP for University Ardoth A. Hassler, Associate VP for University Information Services, Georgetown University Information Services, Georgetown University
Tracy B. Mitrano, Director of IT Policy and Computer Tracy B. Mitrano, Director of IT Policy and Computer Policy and Law Program, Cornell University Policy and Law Program, Cornell University
May 17, 2004May 17, 2004
AbstractAbstract
Security policies are an important Security policies are an important component of an overall security strategy. component of an overall security strategy. This presentation will describe the security This presentation will describe the security policies of Georgetown University and policies of Georgetown University and Cornell University. It will include a Cornell University. It will include a discussion of the policy development discussion of the policy development process, lessons learned, efforts to inform process, lessons learned, efforts to inform users, and policy impact. users, and policy impact.
May 17, 2004May 17, 2004
Higher Ed IT EnvironmentsHigher Ed IT Environments
Historically “open” network environmentsHistorically “open” network environmentsWide range of hardware and software from outdated to Wide range of hardware and software from outdated to state-of-the-artstate-of-the-artIncreasing demands for distributed computing, distance Increasing demands for distributed computing, distance learning and mobile/wireless capabilities which create learning and mobile/wireless capabilities which create unique security challengesunique security challengesLack of clearly defined security requirements (what do Lack of clearly defined security requirements (what do we need to protect and why)we need to protect and why)Experimentation and anonymity highly valued (easy Experimentation and anonymity highly valued (easy access in opposition with responsibility and security)access in opposition with responsibility and security)Students and staff with little or no security trainingStudents and staff with little or no security trainingPersistent belief that security & academic freedom are Persistent belief that security & academic freedom are antitheticalantithetical
EDUCAUSE/NSF Scan of Higher Education IT/Data Environments, August 2002
May 17, 2004May 17, 2004
Don’t forget….Don’t forget….
LawsLaws
RegulationsRegulations
ContractsContracts
Other campus policies…Other campus policies…
May 17, 2004May 17, 2004
GU’s Policy Development ProcessGU’s Policy Development Processhttp://www.georgetown.edu/policy/technology/process.htmhttp://www.georgetown.edu/policy/technology/process.htm
1.1. Articulate a clear, concise rationale for the Articulate a clear, concise rationale for the establishment of the policy or guidelines.establishment of the policy or guidelines.
2.2. Identify the “process or executive sponsor(s).”Identify the “process or executive sponsor(s).” 3.3. Establish the working group.Establish the working group. 4.4. Establish a timeline.Establish a timeline. 5.5. Determine whether an interim policy or guidelines Determine whether an interim policy or guidelines
are needed.are needed. 6.6. Establish the approval process.Establish the approval process. 7.7. List all other (potentially) affected policies and List all other (potentially) affected policies and
guidelines.guidelines.
May 17, 2004May 17, 2004
GU’s Policy Development ProcessGU’s Policy Development Process
GoodGood We have a process!We have a process! Helps with campus-wide issuesHelps with campus-wide issues We don’t have a central policy officeWe don’t have a central policy office
Not so goodNot so good We don’t have a central policy officeWe don’t have a central policy office Harder to coordinate with other policy makersHarder to coordinate with other policy makers Other units don’t have defined policy processesOther units don’t have defined policy processes Lack of common terminologyLack of common terminology
May 17, 2004May 17, 2004
Cornell University Policy ProcessCornell University Policy Process
ProcessProcess Impact StatementImpact Statement Executive Policy Review GroupExecutive Policy Review Group Policy Review GroupPolicy Review Group Executive Policy Review Group finalExecutive Policy Review Group final
PromulgationPromulgation
Education Education
ImplementationImplementation
May 17, 2004May 17, 2004
Cornell University Policy ProcessCornell University Policy Process
GoodGood Legitimates policy Legitimates policy Provides processProvides process Harmonizes policy across organizationHarmonizes policy across organization
Not so GoodNot so Good Finance centricFinance centric Limited representation, and buy inLimited representation, and buy in Creates more challenges for IT policyCreates more challenges for IT policy
May 17, 2004May 17, 2004
Security ofInformation Technology
Resources
Responsible Use ofInformation Technology
Resources
EncryptionKey Escrow
Recording and Registrationof Domain Names
ReportingSecurityIncidents
NetworkRegistry
Authentication and Authorization
Access toElectronic
Privacy of Networkand Network
FlowLogs
Use of EncryptionEscrowKeys
Mass ElectronicMailing
Network Registry
Color Key
Bright Green: ExistingUniversity Policy
Turquoise: Existing Policy,scheduled for revision
Light Green: EPRGapproved, scheduled forpromulgation early 2004
Light Yellow: PAGapproved, schedule for
EPRG review early 2004Tan: Impact Statementapproved, drafting with
stakeholdersBright Blue: OIT drafting
impact statement
May 17, 2004May 17, 2004
Georgetown’s “Statement”Georgetown’s “Statement”
The Georgetown University Information Security Policy (the “Policy”) The Georgetown University Information Security Policy (the “Policy”) serves to create an environment that will help protect all members of serves to create an environment that will help protect all members of the Georgetown University community (the “University”) from the Georgetown University community (the “University”) from information security threats that could compromise privacy, information security threats that could compromise privacy, productivity, reputation, or intellectual property rights. The Policy productivity, reputation, or intellectual property rights. The Policy recognizes the vital role information plays in the University’s recognizes the vital role information plays in the University’s educational, research, operational, and medical advancement educational, research, operational, and medical advancement missions, and the importance of taking the necessary steps to missions, and the importance of taking the necessary steps to protect information in all forms. As more information is used and protect information in all forms. As more information is used and shared by students, faculty and staff, both within and outside the shared by students, faculty and staff, both within and outside the University, a concomitant effort must be made to protect University, a concomitant effort must be made to protect information. The Policy serves to protect information resources from information. The Policy serves to protect information resources from threats from both within and outside of the University by setting forth threats from both within and outside of the University by setting forth responsibilities, guidelines, and practices that will help the University responsibilities, guidelines, and practices that will help the University prevent, deter, detect, respond to, and recover from compromises to prevent, deter, detect, respond to, and recover from compromises to these resources, and to foster an environment of secure these resources, and to foster an environment of secure dissemination of information.dissemination of information.
May 17, 2004May 17, 2004
Cornell’s StatementCornell’s Statement
Cornell University expects all individuals using Cornell University expects all individuals using information technology devices connected to the information technology devices connected to the network to take appropriate measures to network to take appropriate measures to manage the security of those devices. manage the security of those devices.
The university must preserve its information The university must preserve its information technology resources, comply with applicable technology resources, comply with applicable laws and regulations, and comply with other laws and regulations, and comply with other university or unit policy regarding protection and university or unit policy regarding protection and preservation of data.preservation of data.
Towards these ends, faculty, staff and students Towards these ends, faculty, staff and students must share in the responsibility of the security of must share in the responsibility of the security of IT devices.IT devices.
May 17, 2004May 17, 2004
Information Security Policy:Information Security Policy:Obligations of All Users Obligations of All Users
Georgetown: Georgetown: assigns people into four assigns people into four
main groups:main groups:Information Service Information Service Providers Providers
Both central and localBoth central and local
Information StewardsInformation StewardsManagers of UsersManagers of UsersUsersUsers
Defines role of:Defines role of:University Information University Information Security Officer Security Officer Local Information Security Local Information Security PersonnelPersonnel
Cornell: assigns people Cornell: assigns people into five groups:into five groups:
IT Security DirectorIT Security Director Unit HeadsUnit Heads Security LiaisonSecurity Liaison Local Support ProviderLocal Support Provider UsersUsers
May 17, 2004May 17, 2004
Information Security PolicyInformation Security Policy
Georgetown: Georgetown: Security Policy applies to all informationSecurity Policy applies to all information Data policy in progressData policy in progress Defines Defines
classifications of Informationclassifications of InformationRoles Roles ResponsibilitiesResponsibilities
CornellCornell Data explicitly separate from IT security policiesData explicitly separate from IT security policies Data Stewardship and CustodianshipData Stewardship and Custodianship Authentication and Authorization policy does implicate Authentication and Authorization policy does implicate
data, but under the rubric of Data policy.data, but under the rubric of Data policy.
May 17, 2004May 17, 2004
GU’s Information Security PolicyGU’s Information Security Policy
Responsibilities:Responsibilities: Classifying information Classifying information
Separate policy at CornellSeparate policy at Cornell Managing authorization Managing authorization
Separate policy at CornellSeparate policy at Cornell Backing up informationBacking up information
Separate policy at Cornell, and up to the data stewardSeparate policy at Cornell, and up to the data steward Computer security (passwords, antivirus, software Computer security (passwords, antivirus, software
patches, etc.)patches, etc.) Incident reporting and record keepingIncident reporting and record keeping Establishing local security policies and proceduresEstablishing local security policies and procedures
May 17, 2004May 17, 2004
Cornell Data Stewardship and Cornell Data Stewardship and Custodianship PolicyCustodianship Policy
For administrative dataFor administrative data Seven functional areasSeven functional areas
Data stewards required to set policy for Data stewards required to set policy for their own areatheir own area No dispute resolution for cross data usageNo dispute resolution for cross data usage
Custodian ProhibitionsCustodian Prohibitions No changing dataNo changing data No “administrative voyeurism”No “administrative voyeurism” No resolving IP addresses without authorityNo resolving IP addresses without authority
May 17, 2004May 17, 2004
Cornell Policy PromulgationCornell Policy Promulgation
Coordination with central policy officeCoordination with central policy officeEducation Education Forums on each policy, with demonstration of Forums on each policy, with demonstration of
associated software and personnel for proceduresassociated software and personnel for procedures List services to targeted groups, raises lots of List services to targeted groups, raises lots of
questions, gets issues out on the table, especially for questions, gets issues out on the table, especially for people more comfortable with computer for people more comfortable with computer for expression and communication than in a public expression and communication than in a public settingsetting
ImplementationImplementation Always raises new issues, procedures and problems Always raises new issues, procedures and problems
unforeseen in the drafting and promulgation of policyunforeseen in the drafting and promulgation of policyDomain Name as an issueDomain Name as an issue
May 17, 2004May 17, 2004
GU’s efforts to inform usersGU’s efforts to inform users
EducationEducation What is information security?What is information security? Why do we need it?Why do we need it? What’s in the policy?What’s in the policy? What does this mean to me?What does this mean to me? Everyone’s responsibilitiesEveryone’s responsibilities
Excerpts from our “road show”Excerpts from our “road show”
May 17, 2004May 17, 2004
What is Information Security?What is Information Security?
May 17, 2004May 17, 2004
Why we need the policy?Why we need the policy?
May 17, 2004May 17, 2004
What are the goals of the policy?What are the goals of the policy?
May 17, 2004May 17, 2004
More on why we need the policy More on why we need the policy and it’s goals…and it’s goals…
Technical Knowledge Required
Threat Capabilities:More Dangerous & Easier To Use
Sophistication of Hacker Tools
Packet Forging/ Spoofing
19901980
Password Guessing
Self Replicating Code
Password Cracking
Exploiting Known Vulnerabilities
Disabling Audits
Back Doors
Sweepers
Sniffers
Stealth DiagnosticsHigh
Low 2000
DDOS
Internet Worms
© 2001, Cisco Systems
May 17, 2004May 17, 2004
Scare tacticsScare tactics
May 17, 2004May 17, 2004
This one really got them!This one really got them!
May 17, 2004May 17, 2004
Other reasons we need the policyOther reasons we need the policy
May 17, 2004May 17, 2004
A bit about…A bit about…
May 17, 2004May 17, 2004
……a bit more…a bit more…
May 17, 2004May 17, 2004
While we have their attention…While we have their attention…
May 17, 2004May 17, 2004
About the policy itself…About the policy itself…
May 17, 2004May 17, 2004
Who’s whoWho’s who
May 17, 2004May 17, 2004
What it’s all about…What it’s all about…
May 17, 2004May 17, 2004
Now, we got specific…Now, we got specific…
May 17, 2004May 17, 2004
Mantra 2004Mantra 2004
Privacy and SecurityPrivacy and Security
Security and PrivacySecurity and Privacy
Privacy and SecurityPrivacy and Security
Security and PrivacySecurity and Privacy Equally weighted in regulatory legislationEqually weighted in regulatory legislation Complement each otherComplement each other Works with everyone in the community, Works with everyone in the community,
unifies rather than bifurcates.unifies rather than bifurcates.
May 17, 2004May 17, 2004
GU Policy ImpactGU Policy Impact
Made HIPAA, GLBA easierMade HIPAA, GLBA easier
Satisfied external and internal auditorsSatisfied external and internal auditors
Opportunity to educate the communityOpportunity to educate the community
Provides operating frameworkProvides operating framework
May 17, 2004May 17, 2004
CU’s Policy ImpactCU’s Policy Impact
Part of the security program packagePart of the security program package Director level IT Security for entire universityDirector level IT Security for entire university
Part of compliance with federal law and Part of compliance with federal law and regulationsregulationsPart of IT policy frameworkPart of IT policy framework Protecting and preserving university interests and Protecting and preserving university interests and
assetsassets Balancing security and privacyBalancing security and privacy
Part of policy frameworkPart of policy framework Community effortCommunity effort Policy as “citizenship”Policy as “citizenship”
May 17, 2004May 17, 2004
Action AgendaAction Agenda
1.1. Identify Responsibilities and Accountability Identify Responsibilities and Accountability for Information Securityfor Information Security
2.2. Conduct Institutional Risk AssessmentsConduct Institutional Risk Assessments
3.3. Develop Security Policies, Procedures, and Develop Security Policies, Procedures, and StandardsStandards
4.4. Increase Everyone’s Awareness and Increase Everyone’s Awareness and Enhance TrainingEnhance Training
May 17, 2004May 17, 2004
Action Agenda (cont’d)Action Agenda (cont’d)
5.5. Require Secure Products From VendorsRequire Secure Products From Vendors
6.6. Design, Develop, and Deploy Secure Design, Develop, and Deploy Secure Communication and Information SystemsCommunication and Information Systems
7.7. Invest in Staff and ToolsInvest in Staff and Tools
8.8. Establish Collaboration and Information Establish Collaboration and Information Sharing MechanismsSharing Mechanisms
May 17, 2004May 17, 2004
Lessons LearnedLessons Learned
CornellCornell Work procedurally and frame conceptually in Work procedurally and frame conceptually in
the context of one’s own environmentthe context of one’s own environment
Georgetown:Georgetown: Make sure you’ve got the right “usual Make sure you’ve got the right “usual
suspects”suspects” Take the time to achieve consensus or work Take the time to achieve consensus or work
through the issuesthrough the issues Educate the communityEducate the community
May 17, 2004May 17, 2004
SummarySummaryCrisis begets opportunityCrisis begets opportunity
Information Security has become a major opportunity at Information Security has become a major opportunity at universities for leadershipuniversities for leadershipProblems can impact an organization’s reputation, Problems can impact an organization’s reputation, operational responsibilities, and financial healthoperational responsibilities, and financial healthNeeds to be a top IT agenda issueNeeds to be a top IT agenda issueSenior University leadership must be aware of the risks Senior University leadership must be aware of the risks posed by information securityposed by information securityUniversity Information Security Policy enables the University Information Security Policy enables the university to better protect informationuniversity to better protect informationCreates a sense of community: everyone has Creates a sense of community: everyone has responsibilityresponsibilityCreate an awareness in perpetuity Create an awareness in perpetuity
May 17, 2004May 17, 2004
““Bottom line…”Bottom line…”
AllAll users are responsible for users are responsible for protecting information resources protecting information resources to which they have accessto which they have access
May 17, 2004May 17, 2004
ContactsContacts
Ardoth HasslerArdoth Hassler [email protected]@georgetown.edu security.georgetown.edusecurity.georgetown.edu Security Officer: Brian ReillySecurity Officer: Brian Reilly
Tracy MitranoTracy Mitrano [email protected]@cornell.edu http://www.cit.cornell.edu/oit/PolicyOffice.htmlhttp://www.cit.cornell.edu/oit/PolicyOffice.html Security Officer: Steve SchusterSecurity Officer: Steve Schuster
Questions?Questions?
